Adaptive timeouts for security credentials

US 10,652,232 B2
Filed: 01/18/2017
Issued: 05/12/2020
Est. Priority Date: 08/23/2012
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

at least one processor; and

memory storing instructions that, when executed by the at least one processor, cause the system to;

receive, from a client, a first request seeking access to at least one resource using at least one security credential;

authenticate the client based at least in part on the at least one security credential;

send the client a session token, generated by the system, that includes a first value and a session identifier for a session initiated based in part on the authentication;

receive, from the client, a second request along with the session token;

determine a badness factor, corresponding to a tolerance to incorrect information, based at least in part on a comparison of the first value of the session token and a second value that is associated with a reference computer, the session identified at least in part by the session identifier;

determine the badness factor exceeds a threshold value, the badness factor being within a first range;

process the second request based in part on, the badness factor being within the first range;

determine a second range, based at least in part on the badness factor exceeding the threshold value, the second range having a smaller acceptable deviation than the first range; and

send, to the client, an updated session token including an updated first value, the updated first value differing from the second value by an amount based at least in part on the badness factor.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Session-specific information stored to a cookie or other secure token can be selected and/or caused to vary over time, such that older copies will become less useful over time. Such an approach reduces the ability of entities obtaining a copy of the cookie from performing unauthorized tasks on a session. A cookie received with a request can contain a timestamp and an operation count for a session that may need to fall within an acceptable range of the current values in order for the request to be processed. A cookie returned with a response can be set to the correct value or incremented from the previous value based on various factors. The allowable bands can decrease with age of the session, and various parameter values such as a badness factor for a session can be updated continually based on the events for the session.

65 Citations

20 Claims

1. A system, comprising:
- at least one processor; and
  
  memory storing instructions that, when executed by the at least one processor, cause the system to;
  
  receive, from a client, a first request seeking access to at least one resource using at least one security credential;
  
  authenticate the client based at least in part on the at least one security credential;
  
  send the client a session token, generated by the system, that includes a first value and a session identifier for a session initiated based in part on the authentication;
  
  receive, from the client, a second request along with the session token;
  
  determine a badness factor, corresponding to a tolerance to incorrect information, based at least in part on a comparison of the first value of the session token and a second value that is associated with a reference computer, the session identified at least in part by the session identifier;
  
  determine the badness factor exceeds a threshold value, the badness factor being within a first range;
  
  process the second request based in part on, the badness factor being within the first range;
  
  determine a second range, based at least in part on the badness factor exceeding the threshold value, the second range having a smaller acceptable deviation than the first range; and
  
  send, to the client, an updated session token including an updated first value, the updated first value differing from the second value by an amount based at least in part on the badness factor.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the instructions when executed further cause the system to:
    - receive a third request from the client, the third request including the updated session token;
      
      determine an updated badness factor based at least in part on a comparison between a third value associated with the updated session token and a fourth value that is associated with the reference computer;
      
      determine that the updated badness factor is outside the second range;
      
      determine an operation count associated with the updated session token and a current operation count associated with the session; and
      
      increase the updated badness factor by an amount based at least in part on an amount of difference between the operation count and the current operation count.
  - 3. The system of claim 1, wherein multiple clients are capable of submitting requests for the session, and wherein the instructions when executed further cause the system to:
    - determine an age of the session; and
      
      determine an inactivity limit for the session based at least in part on the age of the session, wherein the session stays active as long as a request is processed within the inactivity limit, regardless of the age of the session.
  - 4. The system of claim 1, wherein the instructions when executed further cause the system to:
    - store information for up to a determined number of most recently received requests, the information capable of identifying a source of individual one of the most recently received requests; and
      
      determine an inactivity limit for a particular request of the most recently received requests, the inactivity limit for the particular request based at least in part upon a number of the most recently received requests corresponding to a source of the particular request.
  - 5. The system of claim 4, wherein the instructions when executed further cause the system to:
    - determine that the number of the most recently received requests corresponding to the source of the particular request is less than a request threshold; and
      
      determine a modification of the badness factor based at least in part on a difference between the number of the most recently received requests and the request threshold.
  - 6. The system of claim 1, wherein the client comprises at least one of an application executing in a virtual computing instance, a computing device operating as part of a distributed computing environment, an application programming interface (API), an interface of a network interface layer of a resource provider in a multi-tenant computing environment, an application executing on a mobile computing device, or a web application.
  - 7. The system of claim 1, wherein the badness factor is further based at least in part on a determination of a number of different clients that are submitting requests associated with the session or a determination of accuracy with regard to information associated with the session token received from the client.

8. A computer-implemented method, comprising:
- receiving, from a client, a first request seeking access to at least one resource using at least one security credential;
  
  authenticating the client based at least in part on the at least one security credential;
  
  sending the client a session token, generated by a server, that includes a first value and a session identifier for a session initiated based in part on the authentication;
  
  receiving, from the client, a second request along with the session token;
  
  determining a badness factor, corresponding to a tolerance to incorrect information, based at least in part on a comparison of the first value of the session token and a second value that is associated with a reference computer, the session identified at least in part by the session identifier;
  
  determining the badness factor exceeds a threshold value, the badness factor being within a first range;
  
  processing the second request;
  
  determining a second range, based at least in part on the badness factor exceeding the threshold value, the second range having a smaller acceptable deviation than the first range;
  
  sending, to the client, an updated session token including an updated first value, the updated first value differing from the second value by an amount based at least in part on the badness factor.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-implemented method of claim 8, further comprising:
    - receiving a third request from the client, the third request including the updated session token;
      
      determining an updated badness factor based at least in part on a comparison between a third value associated with the updated session token and a fourth value that is associated with the reference computer;
      
      determining that the updated badness factor is outside the second range;
      
      determining an operation count associated with the updated session token and a current operation count associated with the session; and
      
      increasing the updated badness factor by an amount based at least in part on an amount of difference between the operation count and the current operation count.
  - 10. The computer-implemented method of claim 8, wherein multiple clients are capable of submitting requests for the session, and further comprising:
    - determining an age of the session; and
      
      determining an inactivity limit for the session based at least in part on the age of the session, wherein the session stays active as long as a request is processed within the inactivity limit, regardless of the age of the session.
  - 11. The computer-implemented method of claim 8, further comprising:
    - storing information for up to a determined number of most recently received requests, the information capable of identifying a source of individual one of the most recently received requests; and
      
      determining an inactivity limit for a particular request of the most recently received requests, the inactivity limit for the particular request based at least in part upon a number of the most recently received requests corresponding to a source of the particular request.
  - 12. The computer-implemented method of claim 11, further comprising:
    - determining that the number of the most recently received requests corresponding to the source of the particular request is less than a request threshold; and
      
      determining a modification of the badness factor based at least in part on a difference between the number of the most recently received requests and the request threshold.
  - 13. The computer-implemented method of claim 8, wherein the client comprises at least one of an application executing in a virtual computing instance, a computing device operating as part of a distributed computing environment, an application programming interface (API), an interface of a network interface layer of a resource provider in a multi-tenant computing environment, an application executing on a mobile computing device, or a web application.
  - 14. The computer-implemented method of claim 8, wherein the badness factor is further based at least in part on a determination of a number of different clients that are submitting requests associated with the session or a determination of accuracy with regard to information associated with the session token received from the client.

15. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- receive, from a client, a first request seeking access to at least one resource using at least one security credential;
  
  authenticate the client based at least in part on the at least one security credential;
  
  send the client a session token, generated by the computing device, that includes a first value and a session identifier for a session initiated based in part on the authentication;
  
  receive, from the client, a second request along with the session token;
  
  determine a badness factor, corresponding to a tolerance to incorrect information, based at least in part on a comparison of the first value of the session token and a second value that is associated with a reference computer, the session identified at least in part by the session identifier;
  
  determine the badness factor exceeds a threshold value, the badness factor being within a first range;
  
  process the second request;
  
  determine a second range, based at least in part on the badness factor exceeding the threshold value, the second range having a smaller acceptable deviation than the first range;
  
  send, to the client, an updated session token including an updated first value, the updated first value differing from the second value by an amount based at least in part on the badness factor.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein the instructions when executed further cause the computing device to:
    - receive a third request from the client, the third request including the updated session token;
      
      determine an updated badness factor based at least in part on a comparison between a third value associated with the updated session token and a fourth value that is associated with the reference computer;
      
      determine that the updated badness factor is outside the second range;
      
      determine an operation count associated with the updated session token and a current operation count associated with the session; and
      
      increase the updated badness factor by an amount based at least in part on an amount of difference between the operation count and the current operation count.
  - 17. The non-transitory computer-readable storage medium of claim 15, wherein the instructions when executed further cause the computing device to:
    - determine an age of the session; and
      
      determine an inactivity limit for the session based at least in part on the age of the session, wherein the session stays active as long as a request is processed within the inactivity limit, regardless of the age of the session.
  - 18. The non-transitory computer-readable storage medium of claim 15, wherein the instructions when executed further cause the computing device to:
    - store information for up to a determined number of most recently received requests, the information capable of identifying a source of individual one of the most recently received requests; and
      
      determine an inactivity limit for a particular request of the most recently received requests, the inactivity limit for the particular request based at least in part upon a number of the most recently received requests corresponding to a source of the particular request.
  - 19. The non-transitory computer-readable storage medium of claim 18, wherein the instructions when executed further cause the computing device to:
    - determine that the number of the most recently received requests corresponding to the source of the particular request is less than a request threshold; and
      
      determine a modification of the badness factor based at least in part on a difference between the number of the most recently received requests and the request threshold.
  - 20. The non-transitory computer-readable storage medium of claim 15, wherein the client comprises at least one of an application executing in a virtual computing instance, a computing device operating as part of a distributed computing environment, an application programming interface (API), an interface of a network interface layer of a resource provider in a multi-tenant computing environment, an application executing on a mobile computing device, or a web application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory B., Allen, Nicholas Alexander, Ilac, Cristian M.
Primary Examiner(s)
Gergiso, Techane

Application Number

US15/409,120
Publication Number

US 20170134367A1
Time in Patent Office

1,210 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/121   Timestamp cryptographic mec...

H04L 43/106   using time related informat...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/0846   using time-dependent-passwo...

H04L 63/108   when the policy decisions a...

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/14   Session management for real...

H04L 67/146   Markers for unambiguous ide...

Adaptive timeouts for security credentials

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

65 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Adaptive timeouts for security credentials

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links